git@vger.kernel.org mailing list mirror (one of many)
 help / Atom feed
From: Junio C Hamano <gitster@pobox.com>
To: git@vger.kernel.org
Cc: Linux Kernel <linux-kernel@vger.kernel.org>
Subject: [ANNOUNCE] Git v2.13.6 and others
Date: Tue, 26 Sep 2017 15:09:00 +0900
Message-ID: <xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com> (raw)

Maintenance releases Git v2.10.5, v2.11.4, v2.12.5 and v2.13.6 are
now available at the usual places.  These are solely about hardening
"git shell" that is used on servers against an unsafe user input,
which "git cvsserver" copes with poorly.  A copy of the release notes
for v2.10.5 is attached at the end of the message, but the notes for
other releases listed above essentially say the same thing.

The tarballs are found at:

    https://www.kernel.org/pub/software/scm/git/

The following public repositories all have a copy of the 'v2.10.5',
'v2.11.4', 'v2.12.5' and 'v2.13.6' tags and some of them have the
'maint-2.10', 'maint-2.11', 'maint-2.12' and 'maint-2.13' branches
that the tags point at:

  url = https://kernel.googlesource.com/pub/scm/git/git
  url = git://repo.or.cz/alt-git.git
  url = https://github.com/gitster/git

Note that the committed version of the release notes for these
versions all incorrectly mention "git daemon", where they should
have said "git shell".  It has been corrected in the attached copy,
but because the release engineering was done several days in advance
and the tags have already been shared with binary packagers and
others at the git-security@googlegroups.com mailing list, these
release tarballs are issued _with_ the known typo to avoid confusion
of having two release tags with different contents.  Sorry about that.

----------------------------------------------------------------

Git v2.10.5 Release Notes
=========================

Fixes since v2.10.4
-------------------

 * "git cvsserver" no longer is invoked by "git shell" by default,
   as it is old and largely unmaintained.

 * Various Perl scripts did not use safe_pipe_capture() instead of
   backticks, leaving them susceptible to end-user input.  They have
   been corrected.

Credits go to joernchen <joernchen@phenoelit.de> for finding the
unsafe constructs in "git cvsserver", and to Jeff King at GitHub for
finding and fixing instances of the same issue in other scripts.

----------------------------------------------------------------

Changes since v2.10.4 are as follows:

Jeff King (3):
      shell: drop git-cvsserver support by default
      archimport: use safe_pipe_capture for user input
      cvsimport: shell-quote variable used in backticks

Junio C Hamano (3):
      cvsserver: move safe_pipe_capture() to the main package
      cvsserver: use safe_pipe_capture for `constant commands` as well
      Git 2.10.5

joernchen (1):
      cvsserver: use safe_pipe_capture instead of backticks


                 reply index

Thread overview: [no followups, yet] (expand / mbox.gz / Atom feed)

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply to all the recipients using the --to, --cc,
  and --in-reply-to switches of git-send-email(1):

  git send-email \
    --in-reply-to=xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com \
    --to=gitster@pobox.com \
    --cc=git@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

git@vger.kernel.org mailing list mirror (one of many)

Archives are clonable:
	git clone --mirror https://public-inbox.org/git
	git clone --mirror http://ou63pmih66umazou.onion/git
	git clone --mirror http://czquwvybam4bgbro.onion/git
	git clone --mirror http://hjrcffqmbrq6wope.onion/git

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.version-control.git
	nntp://ou63pmih66umazou.onion/inbox.comp.version-control.git
	nntp://czquwvybam4bgbro.onion/inbox.comp.version-control.git
	nntp://hjrcffqmbrq6wope.onion/inbox.comp.version-control.git
	nntp://news.gmane.org/gmane.comp.version-control.git

 note: .onion URLs require Tor: https://www.torproject.org/
       or Tor2web: https://www.tor2web.org/

AGPL code for this site: git clone https://public-inbox.org/ public-inbox